admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-10 02:04:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add TWCERT/CC CVE-2022-39043 CVE-2023-22902 CVE-2023-24834 CVE-2023-24835 CVE-2023-24837 CVE-2023-24838 CVE-2023-24839 CVE-2023-24840 CVE-2023-24841 CVE-2023-24842 CVE-2023-25017 CVE-2023-25018 CVE-2023-25909

Browse Source
This commit is contained in:
unknown 2023-03-27 11:56:24 +08:00
parent e58c3b084c
commit 6b4311f0db
13 changed files with 1095 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
2022/39xxx/CVE-2022-39043.json
View File

@ -1,18 +1,101 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-08T02:52:00.000Z",
"ID": "CVE-2022-39043",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Juiker app - Information Leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Juiker app",
"version": {
"version_data": [
{
"platform": "Android",
"version_affected": "=",
"version_value": "4.6.0607.1"
}
]
}
}
]
},
"vendor_name": "Juiker"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "RayHong (CCoE)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6922-4a37a-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update Juiker app version to 4.6.1223.1"
}
],
"source": {
"advisory": "TVN-202208008",
"discovery": "EXTERNAL"
}
}

92
2023/22xxx/CVE-2023-22902.json
View File

@ -1,18 +1,98 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T02:55:00.000Z",
"ID": "CVE-2023-22902",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Openfind Mail2000 - XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mail2000",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7"
},
{
"version_affected": "=",
"version_value": "8"
}
]
}
}
]
},
"vendor_name": "Openfind"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Openfind Mail2000 file uploading function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject JavaScript, conducting an XSS attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6953-79236-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update Mail2000 version to latest"
}
],
"source": {
"advisory": "TVN-202302001",
"discovery": "EXTERNAL"
}
}

88
2023/24xxx/CVE-2023-24834.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T02:56:00.000Z",
"ID": "CVE-2023-24834",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "WisdomGarden Tronclass ilearn - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tronclass ilearn",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.3.2"
}
]
}
}
]
},
"vendor_name": "WisdomGarden"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6954-ed16b-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update Tronclass ilearn version to 2.3.4.16"
}
],
"source": {
"advisory": "TVN-202302002",
"discovery": "EXTERNAL"
}
}

88
2023/24xxx/CVE-2023-24835.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T02:58:00.000Z",
"ID": "CVE-2023-24835",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Softnext SPAM SQR - Code Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SPAM SQR",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "2.221231"
}
]
}
}
]
},
"vendor_name": "Softnext"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Softnext Technologies Corp.s SPAM SQR has a vulnerability of Code Injection within its specific function. An authenticated remote attacker with administrator privilege can exploit this vulnerability to execute arbitrary system command to perform arbitrary system operation or disrupt service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6955-c7612-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update SPAM SQR version to 2.221231"
}
],
"source": {
"advisory": "TVN-202302003",
"discovery": "EXTERNAL"
}
}

88
2023/24xxx/CVE-2023-24837.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:01:00.000Z",
"ID": "CVE-2023-24837",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga PowerStation - Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerStation",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "x64.6.2.165"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga PowerStation remote management function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operation or disrupt service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6956-fbd85-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update PowerStation firmware version to x64.6.2.165, then reboot PowerStation."
}
],
"source": {
"advisory": "TVN-202302005",
"discovery": "EXTERNAL"
}
}

88
2023/24xxx/CVE-2023-24838.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:19:00.000Z",
"ID": "CVE-2023-24838",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga PowerStation - Information Leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerStation",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "x64.6.2.165"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga PowerStation has a vulnerability of Information Leakage. An unauthenticated remote attacker can exploit this vulnerability to obtain the administrators credential, resulting in performing arbitrary system operation or disrupt service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6957-d8f67-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update PowerStation firmware version to x64.6.2.165, then reboot PowerStation."
}
],
"source": {
"advisory": "TVN-202302006",
"discovery": "EXTERNAL"
}
}

94
2023/24xxx/CVE-2023-24839.json
View File

@ -1,18 +1,100 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:20:00.000Z",
"ID": "CVE-2023-24839",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga MailSherlock - Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MailSherlock",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "iSherlock-user-4.5",
"version_value": "iSherlock-user-4.5-161"
},
{
"version_affected": "<=",
"version_name": "iSherlock-antispam-4.5",
"version_value": "iSherlock-antispam-4.5-167"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga MailSherlocks specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6958-e1a8e-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update MailSherlock packages version to iSherlock-user-4.5-162.386 and iSherlock-antispam-4.5-168.386"
}
],
"source": {
"advisory": "TVN-202302007",
"discovery": "EXTERNAL"
}
}

89
2023/24xxx/CVE-2023-24840.json
View File

@ -1,18 +1,95 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:20:00.000Z",
"ID": "CVE-2023-24840",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga MailSherlock - SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MailSherlock",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "iSherlock-query-4.5",
"version_value": "iSherlock-query-4.5-167"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga MailSherlock mail query function has vulnerability of insufficient validation for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject SQL commands to read, modify, and delete the database. "
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6959-cdecb-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update MailSherlock package version to iSherlock-query-4.5-168.386"
}
],
"source": {
"advisory": "TVN-202302008",
"discovery": "EXTERNAL"
}
}

89
2023/24xxx/CVE-2023-24841.json
View File

@ -1,18 +1,95 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:20:00.000Z",
"ID": "CVE-2023-24841",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga MailSherlock - Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MailSherlock",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "iSherlock-sysinfo-4.5",
"version_value": "iSherlock-sysinfo-4.5-132"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga MailSherlock query function for connection log has a vulnerability of insufficient filtering for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operation or disrupt service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6960-fc2fe-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update MailSherlock package version to iSherlock-sysinfo-4.5-133.386"
}
],
"source": {
"advisory": "TVN-202302009",
"discovery": "EXTERNAL"
}
}

94
2023/24xxx/CVE-2023-24842.json
View File

@ -1,18 +1,100 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:20:00.000Z",
"ID": "CVE-2023-24842",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga MailSherlock - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MailSherlock",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "iSherlock-user-4.5",
"version_value": "iSherlock-user-4.5-161"
},
{
"version_affected": "<=",
"version_name": "iSherlock-antispam-4.5",
"version_value": "iSherlock-antispam-4.5-167"
}
]
}
}
]
},
"vendor_name": "HGiga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another users mail by changing user ID and mail ID within URL."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6961-12444-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update MailSherlock packages version to iSherlock-user-4.5-162.386 and iSherlock-antispam-4.5-168.386"
}
],
"source": {
"advisory": "TVN-202302010",
"discovery": "EXTERNAL"
}
}

88
2023/25xxx/CVE-2023-25017.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:31:00.000Z",
"ID": "CVE-2023-25017",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Rifartek IOT Wall - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IOT Wall",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "22"
}
]
}
}
]
},
"vendor_name": "Rifartek"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "RIFARTEK IOT Wall has a vulnerability of incorrect authorization. An authenticated remote attacker with general user privilege is allowed to perform specific privileged function to access and modify all sensitive data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6962-34ac1-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update IOT Wall version to v30"
}
],
"source": {
"advisory": "TVN-202302013",
"discovery": "EXTERNAL"
}
}

88
2023/25xxx/CVE-2023-25018.json
View File

@ -1,18 +1,94 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-02-24T03:31:00.000Z",
"ID": "CVE-2023-25018",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Rifartek IOT Wall - Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IOT Wall",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "22"
}
]
}
}
]
},
"vendor_name": "Rifartek"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "RIFARTEK IOT Wall transportation function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can inject JavaScript to perform reflected XSS (Reflected Cross-site scripting) attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6963-7d2ee-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update IOT Wall version to v30"
}
],
"source": {
"advisory": "TVN-202302014",
"discovery": "EXTERNAL"
}
}

92
2023/25xxx/CVE-2023-25909.json
View File

@ -1,18 +1,98 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2023-03-02T05:55:00.000Z",
"ID": "CVE-2023-25909",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "HGiga Inc. OAKlouds - Arbitrary File Upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HGiga OAKlouds",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2"
},
{
"version_affected": "=",
"version_value": "3"
}
]
}
}
]
},
"vendor_name": "HGIGA INC."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "HGiga OAKlouds file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary command or disrupt service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/tw/cp-132-6973-45872-1.html"
}
]
},
"solution": [
{
"lang": "eng",
"value": "- Update OAKlouds-layout-2.0 to OAKlouds-layout-2.0-10\n- Update OAKlouds-layout-3.0 to OAKlouds-layout-3.0-10"
}
],
"source": {
"advisory": "TVN-202303001",
"discovery": "EXTERNAL"
}
}